cryptbot | 0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b

Analysis

max time kernel
93s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
Size

666.5MB
MD5

4db8683f70b080f0b4788262d56a3992
SHA1

14c2cd15e18dad176decc3aa6a91ebd227d8746b
SHA256

0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b
SHA512

e98b7e868e64660bd335c8de4ee1ab9b605baf281731bcde4827cbcc48cf0f9f025e38837c63795bbc0099eb5555b0347b0d40d465e782ee9e1c2c8dc04d154b
SSDEEP

49152:sh+ZkldoPK8Yac12Eat4dwyYHZQe8BySO:92cPK8NEakTYHG9y

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Executes dropped EXE 1 IoCs

pid	Process
640	Sokolevu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sokolevu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 2196	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	85
PID 3784 wrote to memory of 2196	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	85
PID 3784 wrote to memory of 2196	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	85
PID 3784 wrote to memory of 2236	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	89
PID 3784 wrote to memory of 2236	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	89
PID 3784 wrote to memory of 2236	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	89
PID 3784 wrote to memory of 2020	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	91
PID 3784 wrote to memory of 2020	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	91
PID 3784 wrote to memory of 2020	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	91
PID 3784 wrote to memory of 1036	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	93
PID 3784 wrote to memory of 1036	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	93
PID 3784 wrote to memory of 1036	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	93
PID 3784 wrote to memory of 4800	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	95
PID 3784 wrote to memory of 4800	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	95
PID 3784 wrote to memory of 4800	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	95
PID 3784 wrote to memory of 3240	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	97
PID 3784 wrote to memory of 3240	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	97
PID 3784 wrote to memory of 3240	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	97
PID 3784 wrote to memory of 2128	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	99
PID 3784 wrote to memory of 2128	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	99
PID 3784 wrote to memory of 2128	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	99
PID 3784 wrote to memory of 1708	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	101
PID 3784 wrote to memory of 1708	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	101
PID 3784 wrote to memory of 1708	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	101
PID 3784 wrote to memory of 4732	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	103
PID 3784 wrote to memory of 4732	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	103
PID 3784 wrote to memory of 4732	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	103
PID 3784 wrote to memory of 4360	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	105
PID 3784 wrote to memory of 4360	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	105
PID 3784 wrote to memory of 4360	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	105
PID 3784 wrote to memory of 4316	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	107
PID 3784 wrote to memory of 4316	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	107
PID 3784 wrote to memory of 4316	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	107
PID 3784 wrote to memory of 1540	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	109
PID 3784 wrote to memory of 1540	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	109
PID 3784 wrote to memory of 1540	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	109
PID 3784 wrote to memory of 4596	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	111
PID 3784 wrote to memory of 4596	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	111
PID 3784 wrote to memory of 4596	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	111
PID 3784 wrote to memory of 3968	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	113
PID 3784 wrote to memory of 3968	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	113
PID 3784 wrote to memory of 3968	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	113
PID 3784 wrote to memory of 5020	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	115
PID 3784 wrote to memory of 5020	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	115
PID 3784 wrote to memory of 5020	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	115
PID 3784 wrote to memory of 4276	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	123
PID 3784 wrote to memory of 4276	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	123
PID 3784 wrote to memory of 4276	3784	JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe	123
PID 4276 wrote to memory of 1380	4276	cmd.exe	125
PID 4276 wrote to memory of 1380	4276	cmd.exe	125
PID 4276 wrote to memory of 1380	4276	cmd.exe	125
PID 4276 wrote to memory of 4052	4276	cmd.exe	126
PID 4276 wrote to memory of 4052	4276	cmd.exe	126
PID 4276 wrote to memory of 4052	4276	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f2c0a69ee5e1d5b37902eed209b9769195c5a101daf61e2b403f1433fe6bd5b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\Desktop\*.txt" "C:\Users\Admin\AppData\Local\Temp\3294\_Files"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Web Data" "C:\Users\Admin\AppData\Local\Temp\3294\_Chrome\default_webdata.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\3294\_Chrome\default_logins.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Cookies" "C:\Users\Admin\AppData\Local\Temp\3294\_Chrome\default_cookies.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Network\Cookies" "C:\Users\Admin\AppData\Local\Temp\3294\_Chrome\default_cookies.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data" "C:\Users\Admin\AppData\Local\Temp\3294\_Edge\default_webdata.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\3294\_Edge\default_logins.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" "C:\Users\Admin\AppData\Local\Temp\3294\_Edge\default_cookies.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies" "C:\Users\Admin\AppData\Local\Temp\3294\_Edge\default_cookies.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/1ckv2sw8.Admin\formhistory.sqlite" "C:\Users\Admin\AppData\Local\Temp\3294\_Firefox\formhistory.sqlite"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/1ckv2sw8.Admin\cookies.sqlite" "C:\Users\Admin\AppData\Local\Temp\3294\_Firefox\cookies.sqlite"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/1ckv2sw8.Admin\signons.sqlite" "C:\Users\Admin\AppData\Local\Temp\3294\_Firefox\signons.sqlite"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/1ckv2sw8.Admin\logins.json" "C:\Users\Admin\AppData\Local\Temp\3294\_Firefox\logins.json"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/1ckv2sw8.Admin\key3.db" "C:\Users\Admin\AppData\Local\Temp\3294\_Firefox\key3.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/1ckv2sw8.Admin\key4.db" "C:\Users\Admin\AppData\Local\Temp\3294\_Firefox\key4.db"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c expand.exe "C:\Users\Admin\AppData\Local\Temp\piDtn6m.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceGet" & schtasks /create /tn \Service\Diagnostic /tr """"C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe""" """C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat"""" /st 00:01 /du 9800:49 /sc once /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\piDtn6m.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceGet"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \Service\Diagnostic /tr """"C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe""" """C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat"""" /st 00:01 /du 9800:49 /sc once /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4052

C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe
C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe "C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3294.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294.zip

Filesize
396KB

MD5
c26cbd3cf3e7c146c394d04e40469eb5

SHA1
14de47a1cd444f2e0fff10a3451ad40afd9a340e

SHA256
c8df03b58125c168ffbd98a1dc0b55e87a8b3bd729b77f44a95dea9d9a658494

SHA512
b23e9490a126bb58c42b8ccd049f6b4fe6ee59b532d749eb9a1fcf60036070ee1c2928a609ad07cc3d81a69ff9987f993b3f8e58d0f9f210008e42e50910adc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294\_Chrome\default_cookies.db

Filesize
20KB

MD5
b7cedab89f52aec5acda9c3f8d209a5a

SHA1
a97b2ad95c60e7b3945a1dd48f9617f7696cbd47

SHA256
4538585d6555d95d4a9ba6a6f48619de0a01636910be35e0243373ff41b232c9

SHA512
a85b3e9ddfd8ec8d0aecc840692293cb8d78ee2f541ffbf9b9b0bbc580762e09eb05c6766892f67c6407bf9bad91951c3d0dfc1b59421ab6e3852348318c656b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294\_Chrome\default_logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294\_Chrome\default_webdata.db

Filesize
114KB

MD5
f1b0d67d9700b657fffb1e53c14444ae

SHA1
ae8a3a681da72d78263510a2e6a2ad5a66cb0164

SHA256
7a26e63a529f6c2ceb6063b72e61caae2a643152c7b1b75b3396a700aac95bc1

SHA512
a2b3ab1807a517b1b499df7d8cbd7b695918113f4124b60ab54b6fa1b2fee6d0813c73202ceec42c7b9fc2c124e0555ecff62acb948cf0ddc19b51607f527b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294\_Edge\default_cookies.db

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294\_Edge\default_logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294\_Edge\default_webdata.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294\_Files\SwitchRestore.txt

Filesize
352KB

MD5
09ea0ea03f62cfbd8082e4e828cb358b

SHA1
c88385e727420ba0faba54dab0eb330035223293

SHA256
fd04ff9c1d05f5db3ad23d4476e66a9d7721a5421211e7981782fbb655d22396

SHA512
55363b045625db303d6311c510b8a5117d2438aca7f048b814aa7d064a799593cc09cd7da0fe996c62e873ac22e0df359a37de302e425afc24c50dd2cfdab7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\autD86E.tmp

Filesize
416KB

MD5
8693120d43190390c7638a7602c9f8b1

SHA1
4f592cc16de398ab25d0005774610f2dfc5b3ce8

SHA256
b101aab1d1b820f04e39d7fac4e7993361fb5f7dc2543ecfa709bbaf04bfdcfa

SHA512
f5fb19e3c0614668a387fb8d3aba2e4badf587f34c3000dca109f065c75b3b24927cfbaa8a3b851d1d3d847b4b170bdc508a9d682cae79d0ffa77c20abb73ca4

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.dat

Filesize
133KB

MD5
5e83ae9c87fcf9e910d886142bf154ad

SHA1
e708d0ce5608b3e762f250cee7a58910a4534dd4

SHA256
043705792ba725ac805554f58b0badf4c6ad8b702ce4c3d768b1f6e665e14dec

SHA512
fdbfff8cf42aa244de5a9b3c93628870170c8dc065ca65445ffd0987cd3738be443120d78dbd589bfb7f5f7f069930fa5042a490e248c60314c843f621854fdc

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceGet\Sokolevu.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit